From f3b346a9de40b7d2705c862d67e817e6c4d31a3d Mon Sep 17 00:00:00 2001 From: Hank Donnay Date: Fri, 6 Mar 2026 12:41:26 -0600 Subject: [PATCH 1/2] migrations: add `vuln.not_vulnerable` This adds a column to Vulnerability records that inverts their meaning. See-also: https://issues.redhat.com/browse/CLAIRDEV-85 Change-Id: Ice2a3d58f922a96670b923118451aa4b3e81c11a Signed-off-by: Hank Donnay --- .../postgres/migrations/matcher/18-vulnerability-not.sql | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 datastore/postgres/migrations/matcher/18-vulnerability-not.sql diff --git a/datastore/postgres/migrations/matcher/18-vulnerability-not.sql b/datastore/postgres/migrations/matcher/18-vulnerability-not.sql new file mode 100644 index 000000000..1a08e37bc --- /dev/null +++ b/datastore/postgres/migrations/matcher/18-vulnerability-not.sql @@ -0,0 +1,4 @@ +ALTER TABLE vuln +ADD COLUMN IF NOT EXISTS not_vulnerable BOOLEAN NOT NULL DEFAULT false; + +COMMENT ON COLUMN vuln.not_vulnerable IS 'Invert the meaning of the record: assert that described versions are not vulnerable.'; From bc5f81e5735f4696b8f04f9997007cd7eef50943 Mon Sep 17 00:00:00 2001 From: Hank Donnay Date: Thu, 5 Mar 2026 09:38:22 -0600 Subject: [PATCH 2/2] claircore: invert flag to `Vulnerability` See-also: https://issues.redhat.com/browse/CLAIRDEV-85 Change-Id: I4053d16eb2589dc2eb24fc194c19537b954e065d Signed-off-by: Hank Donnay --- vulnerability.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vulnerability.go b/vulnerability.go index d16f1914f..d78cc1cb2 100644 --- a/vulnerability.go +++ b/vulnerability.go @@ -50,6 +50,10 @@ type Vulnerability struct { // For instances from a claircore "datastore" implementation, this will also // include the "Self" alias. Aliases []Alias + + // Invert means this Vulnerability should be interpreted as an assertion + // that matched packages are NOT vulnerable to the indicated flaw. + Invert bool } // CheckVulnernableFunc takes a vulnerability and an indexRecord and checks if the record is